Brian,
We are not entirely sure what you mean by "undefined behavior." Are
you talking about the CVE entries that specifically say "undefined
behavior," such as CVE-2017-8326 and CVE-2017-7961?
Thanks,
Jonathan
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of
jericho
Sent: Tuesday, May 02, 2017 1:26 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Current standards/criteria for 'Undefined Behavior'
Importance: High
MITRE,
Can you outline the current standards, criteria, or guidelines you use
for assigning an ID to an issue that is simply 'undefined behavior'
with no indication of exploitability or crossing privilege boundaries?
We're seeing these a bit more frequently lately and they often appear
to get an ID without any examination by the researcher or MITRE. In
many cases, subsequent analysis determines these are non-issues and are
not exploitable.
Thanks,
Brian